The tech that makes anti-terrorism tip lines effective

New database technologies help homeland security agents piece together intelligence data from state to state

By H. B. Hatter

Mar 07, 2011

EDITOR'S NOTE: This article was updated March 8, 2011, to correct the name of Kevin Knorr, Nebraska State Patrol and director of the Nebraska Information Analysis Center.

Earlier this year, two private-sector employees did exactly what the Homeland Security Department intended when the department launched its "See Something, Say Something" public safety campaign to encourage people to report suspicious activity.

One employee, who worked for Con-way Freight in Ann Arbor, Mich., noticed that a package of chemicals was en route to a Saudi college student in Lubbock, Texas, and called the local police. The second tipster, who notified the FBI, worked for the chemical manufacturer itself in Burlington, N.C.

Have something, use something

A critical feature of the National Suspicious Activity Reporting Initiative is that it allows fusion centers and law enforcement officials to share Suspicious Activity Reports and search across others’ SARs without changing the way they do business, said David Lewis, chief technology officer of the initiative at the Justice Department's Office of Justice Programs.

For example, fusion centers will ultimately be able to conduct federated searches across any one of the following three existing secure but unclassified networks:

Law Enforcement Online. Regional Information Sharing System. Homeland Security Information Network. That approach avoids directing personnel to a separate Web portal that is used exclusively for a single purpose and requiring them to create and juggle one more authentication credential. “The fusion centers can use whatever networking tool they feel most comfortable with and all get to the same place, which is a huge accomplishment in information sharing,” Lewis said.

After an in-depth investigation, the Justice Department announced in late February that it had arrested the student, Khalid Ali-M Aldawsari, and charged him with plotting to build and use a weapon of mass destruction.

These types of front line-generated suspicious activity reports (SARs) are likely to increase with the expansion of the See Something, Say Something initiative, which was launched in summer 2010 to encourage the public to report indicators of terrorism, crime and other threats to law enforcement authorities.

“We’re definitely preparing for what we think could be a significant boost in reports,” said Kevin Knorr, a captain at the Nebraska State Patrol and director of the Nebraska Information Analysis Center (NIAC), one of 72 state and city fusion centers established in the aftermath of the 2001 terrorist attacks to collect and analyze SARs and work with homeland security officials to ward off terrorist attacks.

“Already when we do outreach programs, we throw out examples of suspicious activities, and it just clicks for some people,” Knorr said. “We typically get three or four that come up afterward and start talking about what they may have yesterday and want to know whether or not that meets the criteria" for a SAR.

According to DHS officials, the technology required to handle the extra load of public reports and share them nationwide is well on its way to being in place. The process involves three main steps:

Front-end collection of SARs from the community and local law enforcement agencies.

The fusion center process for vetting SARs for credibility and potential privacy violations and then analyzing them for a nexus to terrorism.

Sharing the information through the National SAR Initiative (NSI), a distributed model that, once fully in place later this year, will enable fusion centers to conduct federated searches of SARs and share results across jurisdictional lines.

“Ultimately, this process has got to be automated, because if we are successful getting lots of people in the country to report this information, it will swamp the manual investigator,” said Paul Wormeli, executive director emeritus of the IJIS Institute, a nonprofit organization that has a grant from the Office of Justice Programs to provide hardware and software for NSI.

Keeping it local

In the past, when average people observed something suspicious, they didn’t always know whom to tell. As in the Aldawsari case, sometimes they contacted the FBI; other times, their local 911 operator.

The See Something, Say Something plan encourages the public to make reports to local authorities rather than federal agencies, a fact that is spurring many states and localities to take a more disciplined approach to data collection.

Some states, such as Tennessee, Colorado and Nebraska, are providing online forms that, once filled out, are routed to a fusion center for vetting and analysis. The New Jersey Office of Homeland Security and Preparedness recently created a Facebook page that details the e-mail address and phone number that people should use to make a report. Others are relying on websites, social media tools and other marketing outlets to encourage people to call 911 when they observe suspicious behavior.

“We’ve kind of adopted this general principle that it’s important to vet a report as close as possible to its origin,” Wormeli said, noting that law enforcement and fusion center personnel will be able to investigate quickly using predictive analysis tools to throw out bad reports and stay focused on those that merit further analysis.

Malcolm Sloane, program manager at the Tennessee Fusion System, agreed and added that keeping the reports local will yield a number of benefits. “Having all those SARs in the same repository within our fusion center gives us the ability to see or connect those dots in a way that helps us understand if there is a focused attention on certain aspects of critical infrastructure or activity that may be focused in one area or even across the state.”

‘Actionable’ intelligence

Fusion centers are a state and local effort, and as a result, they vary widely in their technological sophistication, said David Lewis, chief technology officer for the National SAR Initiative (NSI) at the Justice Department's Office of Justice Programs. Some rely on full-scale data collection and predictive analysis systems that are integrated with larger law enforcement reporting systems. Others depend only on stand-alone records management systems, computer-aided dispatch systems or simple databases.

“We have found some locations where they have nothing at all in terms of data gathering for SARs specifically,” Lewis said.

However, there are a large number of fusion centers that have taken steps to streamline and automate the SAR information process by acquiring specialized IT solutions.

For example, the Tennessee Bureau of Investigation Fusion Center has installed SAS’ Memex intelligence management platform, which is programmed with state privacy laws and federal data management regulations. The solution collects SARs from a Web-based reporting tool and other sources and houses them in a central repository where they can be aggregated, analyzed and shared with more specialized analysts or discarded.

“We pick up speed and accuracy in terms of analyzing our reports by having the electronic interfaces,” Sloane said, estimating that the system will also allow his organization to absorb at least a 25 percent increase in publicly reported SARs. “And we are able to share that much quicker with other partners that we have or agencies that may need to have that information promptly.”

If an analyst deems it appropriate, a SAR can be automatically routed by the Memex system to NSI, which is now operational at the Tennessee Fusion Center.

Going national

The good news is that fusion centers don’t need to have the latest and greatest intelligence management technology to effectively use NSI, Lewis said.

The Office of Justice Programs began the project in spring 2010. But unlike with similar national data-sharing efforts, officials weren’t interested in building a centralized database. Instead, NSI will use a common database based on the National Functional Standard for SARs in every fusion center.

“All fusion center officials have to do is take their local information and map it to the National Functional data elements,” Lewis said, citing the similar model of the National Sex Offender Public Registry. “Then they just continue to use their tools and push the SARs they want to share out to the common box.”

Other fusion center and law enforcement officials can then go onto existing secure law enforcement and homeland security networks to conduct a federated search of all the fusion center databases.

The search, which Lewis described as Google-like, returns summaries of SARs and allows a searcher to expand the report, look at the narrative, and view the contact for the fusion center analyst or law enforcement investigator involved. The system will also save their search criteria and send an e-mail whenever someone makes a similar inquiry.

About 20 fusion centers are already sharing information across NSI, and another 10 to 15 sites are expected to be up and running by the middle of spring. Lewis said he is hoping that all 72 sites will be able to conduct searches, if not provide their own SARs, by the 10th anniversary of the 2001 terrorist attacks.

Lewis added that by having an end-to-end process, fusion centers and law enforcement officials will be much closer to the goal of getting the right information into the right hands at the right time.

“By bringing all this information together, it’s going to be easier for us to sift through all these SARs — whether they come from law enforcement or the community — [and] determine what’s valid and what is really connected and what could turn into some type of terroristic event,” he said. “So we’re really assisting in helping fusion centers share nationally what might be a minute piece of information but could actually be the key to breaking a huge case.”

inside gcn

Reader Comments

Fri, Mar 4, 2011
Robert Scott

I sincerely hope that 'someone' is exercising restraint and remember an ancient quandry:Qui custodiet ipso custode?Who shall guard us from our Guardians?Benjamin Franklin warned us:'We have crafted you a Free Republic, if you can keep it.'

Local vetting of SARs is well and good, but who is vetting the local authorities who are both issuing AND vetting SARs?

InfraGuard has already provided ample reason for concern; Civilian and utterly untrained personnel recruited from local business leaders half of whom have financial problems and according to hearings shown on C-Span these people have been abusing their influence as members of InfraGuard.

I sincerely hope that your concentration is NOT upon keeping our people SAFE, more than it is to keep us FREE.If you fail to keep us FREE, the terrorists have won.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.